Proof of Identity for Accessing Centrelink Payments
The objective of the audit was to determine whether the POI information recorded by Centrelink accords with relevant policy and thereby effectively supports informed decision-making regarding eligibility for the payment of various benefits to Centrelink customers
1. Successive Australian Governments have required social security payment recipients to provide proof of identity (POI) documents as part of establishing their eligibility. Centrelink is the Australian Government's primary delivery agency for social security payments. As a statutory agency under the umbrella of the Department of Human Services (DHS), Centrelink is accountable, through the Secretary of DHS, to the Minister for Human Services. With 26 564 employees and a departmental budget of $2.3 billion, the agency administered $63.5 billion in payments and delivered a range of services to 6.49 million customers in 2005–06.1
2. To ensure that abuses of the social security system are minimised, Centrelink has established POI requirements for customers under the Social Security (Administration) Act 1999 (SSA Act). While POI is not essential for all payments made by Centrelink,2 the requirements are a gateway to many Centrelink payments and/or benefits, for example, Age Pension, Disability Support Pension, Newstart Allowance, Carer Allowance and Low Income Health Care Card.3
3. Accordingly, the requirement for customers to provide satisfactory POI is a key element of the control framework for social security payments. The effectiveness of this control relies on Centrelink efficiently administering the requirements of the current POI model to ensure that customers only receive payments (and/or benefits) if they have provided the required POI documentation.4
Centrelink's current proof of identity model
4. The POI model currently used by Centrelink is a tiered, risk-based model that was introduced in September 2001. Under this model, the majority of Centrelink's customers are required to prove both their commencement of identity in Australia (by demonstrating either proof of their birth or arrival in the country) and the use of that identity in the community.
5. Examples of the types of documents that customers can use to prove that they were born in Australia, or when they arrived in the country, include: a birth certificate, an Australian passport, a citizenship certificate, or an Australian visa .5 Other approved documents that customers can use to achieve the tier level status required for their payment and/or benefit include: bank account cards, an Australian driver's licence, Medicare card, and student identification cards. Figure 1 is a simplified outline of the model, which is presented in detail in Chapter 1, Figure 1.1.
Source: ANAO 2007.
6. Centrelink relies on the application of the tiered POI model to provide assurance on the integrity of the related outlays for the three policy departments that together purchase the majority of services from the agency—the Department of Families, Community Services and Indigenous Affairs (FaCSIA), the Department of Employment and Workplace Relations (DEWR), and the Department of Education, Science and Training (DEST).
Audit objective and scope
7. The objective of the audit was to determine whether the POI information recorded by Centrelink accords with relevant policy and thereby effectively supports informed decision-making regarding eligibility for the payment of various benefits to Centrelink customers.
8. Since Centrelink has approximately 6 million current customers, it was impractical, as part of the audit, to check every customer's individual record. Thus, a sample of customer records was drawn and examined. From this sample, inferences were made about the entire population of current customer records.
9. The ANAO used the sample results to assess Centrelink's administration of POI requirements against three main criteria, which are summarised as follows:
- Centrelink has adequate POI policy/guidelines for establishing a customer's identity;
- Centrelink's customer POI information held on paper files is correct and sufficient to meet the requirements of the agency's policy and guidelines to establish the identity of Centrelink customers; and
- Centrelink's customer POI information held on paper files matches the POI information held in the main electronic customer database.
The audit findings reported in Chapters 2–4 of this report appear in the same order as the above three criteria.
10. For specified social security payments (and/or services) Centrelink's Customer Service Advisors (CSAs) are required in all circumstances to collect sufficient standard or alternative POI6 from customers before granting a payment (and/or service).
11. Based on the results of a sampling exercise conducted for this audit, it is estimated that there is a 95 per cent probability that 15.5 per cent (±2.1 per cent), or between 573 778 (13.4 per cent) and 751 798 (17.6 per cent), of the approximately 4.3 million Centrelink customers who are required to provide POI before they are granted a payment7 have insufficient POI on their paper file to meet the POI guidelines in place at the time a payment was granted to them.
12. The estimated number of Centrelink customers with insufficient POI on their paper file is, in part, a legacy of the application of previous POI models in Centrelink's predecessor agencies.8 However, if the POI recorded for a current Centrelink customer is insufficient, then the customer's record does not accord with relevant agency policy for the collection of POI and does not effectively support informed decision-making regarding eligibility for the payment of various benefits.
13. Accordingly, the results of the sampling exercise conducted for this audit indicate a weakness in Centrelink's control framework for social security payments and a risk to the integrity of outlays because, for customers with insufficient POI on their paper file, there is an increased risk that Centrelink may be making payments to which the recipients are not entitled.9
Action taken by Centrelink during the audit to address the ANAO's findings
14. The audit results reported in paragraph 11 regarding the estimates of current Centrelink customers with insufficient POI on their paper file to meet the POI guidelines in place at the time a payment was granted to them are based on a sampling exercise, rather than a check of all relevant records in the population of current Centrelink customer records. Accordingly, Centrelink is not able to readily identify particular customers falling into this group.
15. However, the ANAO provided Centrelink with details for the 180 customers identified in the audit's sample as having insufficient POI. Centrelink advised the ANAO that it has subsequently undertaken action in relation to these cases and is now satisfied that these customers have provided sufficient POI and this is stored on their paper file.
16. The outcome of the action taken by Centrelink to review those customers in the audit sample, which were identified by the ANAO as having insufficient POI on their file, demonstrates that an increased risk resulting from this position does not necessarily mean that such customers have received payments or benefits to which they are not entitled.
Key findings by chapter
Centrelink's Current Customer Proof of Identity Model (Chapter 2)
17. Centrelink's requirement for customers to provide satisfactory POI is an essential element of the control framework for social security payments. This control relies on Centrelink administering the requirements of the current POI model effectively and efficiently to ensure that customers only receive payments (and/or services) if they have provided the required POI documentation. The application of Centrelink's tiered POI model provides assurance on the integrity of the related outlays for the three policy departments that together purchase the majority of services from the agency—FaCSIA, DEWR and DEST.
18. In examining the development process for the tiered POI model in Centrelink, the ANAO found that record keeping was not adequate. Documentation of significant policy decisions, and associated risk analyses, were not maintained by Centrelink or the then Department of Family and Community Services. The ANAO considers that it is important that Centrelink ensure that adequate records are always maintained for business projects. Centrelink should also maintain appropriate records relating to the development and approval of key policy decisions, including of any consultation with purchaser departments and/or, where required, their approval of the implementation of the relevant policy decision.
19. Centrelink's ‘POI Document Coding Guide'—an essential part of the supporting material CSAs use to implement the tiered POI model—is issued in accordance with the relevant Chief Executive Instructions and is consistent with both the aims of the tiered POI model and the SSA Act. However, the useability of the current POI guidelines remains unclear and Centrelink has been unable to assess if CSAs are actively using the POI support material. Centrelink's analysis in August 2005 of nationwide test results of CSAs' knowledge of POI requirements indicated that further staff training in POI was required. This analysis also indicated that the supporting materials needed to be reviewed to identify any potentially confusing content.
20. The circumstances of some of Centrelink's customers put them at risk of being unable to meet, either in the short term or not at all, standard proof of identity requirements for accessing the social security payments they need.10 In 2004–05, Centrelink estimated some five per cent of its customers would have difficulty providing sufficient POI to satisfy the tiered POI model's requirements. Centrelink's Alternative POI and Identity Review Period procedures offer methods to deal with this issue for customers who are unable to meet, either in the short term or not at all, the standard requirements of the tiered POI model. However, these procedures have not always been consistently applied by CSAs.
21. Centrelink has not evaluated the outcomes from an ‘At-Risk Customers' project conducted in 2004–05 to address the capacity of such customers to meet the requirements of the tiered POI model and the inconsistent application of Alternative POI and Identity Review Period procedures by CSAs. The ANAO concluded that there would be benefit in Centrelink conducting a post-implementation review of the ‘At-Risk Customers' project as this could inform any decision on whether, or the extent to which, to adopt Centrelink's current approach to handling POI for such customers when registering such customers for the Access Card if it is introduced.11 Accordingly, the ANAO recommended that Centrelink undertake a post-implementation review of the 2004–05 ‘At-Risk Customers' project.
Centrelink's Application of Proof of Identity Guidelines (Chapter 3)
22. The primary random sample for this audit was selected in accordance with expert advice from the Australian Bureau of Statistics Statistical Consultancy Unit (ABS SCU) (see Appendix 1). The ANAO also engaged the ABS SCU to calculate sample loss12 from the ANAO's initial sample of 1 200 customer records and to analyse the ANAO's results from its examination of the remaining 1 158 records in the ANAO's sample. Based on the results of the ANAO's assessment of this sample of current Centrelink customer records, the ABS SCU estimated that there is a 95 per cent probability that 15.5 per cent (±2.1 per cent), or between 573 778 (13.4 per cent) and 751 798 (17.6 per cent), of the approximately 4.3 million Centrelink customers who are required to provide POI before they are granted a payment13 have insufficient POI on their paper file to meet the POI guidelines in place at the time a payment was granted to them.
23. These audit results indicate a weakness in Centrelink's control framework for social security payments and a risk to the integrity of outlays because, for customers with insufficient POI on their paper file, there is an increased risk that Centrelink may be making payments to which the recipients are not entitled. Implementation of the recommendations contained in this report will go some considerable way to reducing that risk.
24. While the sample results indicate a weakness in Centrelink's control framework for social security payments, the results do not provide evidence of identity fraud among Centrelink's customers or internal fraud by CSAs.14 The outcome of action taken by Centrelink to review those customers in the audit sample, which were identified by ANAO as having insufficient POI on their file, demonstrates that the results do not necessarily mean that customers found to have insufficient POI on file have received payments to which they are not entitled (see paragraphs 14–15).
25. The estimated number of Centrelink customers with insufficient POI on their paper file is, in part, a legacy of the application of previous POI models in Centrelink's predecessor agencies including the former Department of Social Security (1972) and the former Department of Social Services (1939). Centrelink has been the main agency responsible for delivering social security payments on behalf of the Australian Government since 1997.
26. The sample results suggest that CSAs are following the guidelines for the tiered POI model introduced in 2001 more accurately than the guidelines applying under previous models.15 However, some 12.5 per cent of customers in the sample, who had provided their POI under the current tiered POI model, had insufficient POI on file to satisfy the current requirements. This impacts on the level of business assurance that Centrelink can provide to the agency's three major purchaser departments—FaCSIA, DEWR and DEST.
27. Age pensioners make up Centrelink's largest group of social security payment recipients required to provide POI before payment can be granted. Reflecting this, Age Pension customers were the largest proportion of customers in the ANAO's sample with insufficient POI on their paper file. This situation highlights the importance of CSAs accurately applying the existing POI requirements for this large, and growing, group of Centrelink customers.
28. Results for a second ANAO sample of 100 tier 0 customers16 —customers whose only involvement with Centrelink was to receive payments that did not require POI—indicated that: it was unlikely that there was systematic collection of unnecessary POI that could be an issue from a privacy perspective for customers; there was unlikely to be an unnecessary burden placed on tier 0 customers to provide POI not required under the tiered POI model; and, there was no indication that Centrelink's resources were unnecessarily used to collect POI not required under the tiered POI model.
29. The ‘Original Sighted and Returned' (OS&R) certification verifies that the documents held on Centrelink's paper files are copies of original documents that were sighted by a CSA. The ANAO found that up to 18 per cent of customers' POI records, from a total of 1 076 customers,17 did not have reliable OS&R certification.
30. Approximately nine per cent of the customers' records in the ANAO's sample had some POI documentation on file that had been poorly photocopied and, as a result, was less useful for Centrelink's purposes (data entry and verifying a customer's identity in the future). It is noted that the planned introduction of an Access Card involves changing how future Centrelink customers establish their identity from the commencement of the registration process for the Access Card, possibly including a move to electronically scanning and storing customers' POI documents. It will remain important that agencies involved in the registration process for the Access Card ensure the quality of the relevant POI collection processes.
31. The ANAO recommended that Centrelink improve the application of the current POI model by ensuring that, where possible, Quality On-Line18 (QOL) checking officers examine POI for compliance with the current POI guidelines, and by reviewing current training and guidance provided to CSAs on compliance with POI operational guidelines.
Centrelink's Electronic Recording of Proof of Identity Data (Chapter 4)
32. Centrelink relies on the accuracy of the information stored electronically in the Income Security Integrated System (ISIS19 )—Centrelink's main electronic customer database—for thousands of daily business transactions with customers. Centrelink also uses customers' POI data contained in the agency's main database (ISIS) to assist with the detection of social security payment fraud, including carrying out data matching activities with other government agencies.
33. There has been an overall improvement in CSAs' electronic coding of POI documents in ISIS since the introduction of the tiered POI model on 17 September 2001. However, the ANAO found a variation in the accuracy of the coding for different documents, with the accuracy rates of documents coded after 17 September 2001 ranging from 100 per cent (for infrequently used POI documents, such as shooters' licences) to 67 per cent for more commonly used document types such as an Australian birth certificate.
34. Typographical errors made by CSAs were the major reason for inaccurate electronic coding of customers' POI documents, overall, and for documents coded after 17 September 2001, assessed in the ANAO's sample of customer records. The ANAO recommended that Centrelink use an existing quality review process—QOL—to identify and reduce the impact of typographical errors made when CSAs' inaccurately enter customers' POI document details in ISIS (see Recommendation 3, paragraph 4.23).
35. Additional controls in ISIS have increased the integrity of more recent POI data and improved CSAs' performance when entering customers' POI data for the first time into ISIS. Less than one per cent of documents in the four key POI document types assessed by the ANAO had data recorded in ISIS by CSAs that obviously bore no resemblance to the correct serial number for the documents.
36. The ANAO suggested that Centrelink continue to monitor the accuracy of CSAs' coding of POI in ISIS to assist in assessing the need for future targeted training on coding for CSAs.20 Mandating the format of data fields in ISIS has assisted in improving the recording of POI document details. However, it is not on its own sufficient to ensure the quality and accuracy of Centrelink customers' POI data entered by CSAs. Controlling the standard entry format of a particular data field does not prevent errors occurring where a CSA enters into the system an incorrect serial number entry that appears to fulfil the required format.
37. The ANAO examined the impact on current customers' POI data integrity in ISIS of CSAs using workflow tools such as scriptors.21 The ANAO suggested that Centrelink identify those scriptors with an element of POI embedded in them and review the current screen flow when entering data into the ISIS system using the scriptor to ensure that an opportunity is not being lost to review the electronic data integrity of current customers' POI records.
38. The Chief Executive Officer of Centrelink provided the following response to the proposed audit report:
Centrelink welcomes this report and is pleased that the report recognises the effort that Centrelink has made to improve the management of proof of identity over time. Centrelink considers that implementation of the recommendations in the report will enhance administration of the current tiered Proof of Identity (POI) model and contribute to the development of the Health and Human Services Access Card.
Centrelink accepts that there were administrative errors associated with the POI on the paper file of some of its customers. It is important to note that Centrelink has conducted a detailed review of all cases containing error and is now satisfied that appropriate POI documentation has been provided for every case. This means that there has been no inappropriate outlays for these cases associated with POI documentation. It is clear, in these cases that insufficient POI recorded on the paper file has not translated to incorrect payment.
In this context it is also worth noting that the ANAO did not find any evidence or suggestion to the effect that there was any identity fraud and Centrelink, in its more detailed review of cases, found no evidence of identity fraud.
It should be noted that Centrelink is dealing with legacy systems and processes that date back decades.
Proof of identity is an important element of Centrelink's overall strategy to protect the integrity of outlays for our policy departments. Proof of identity is an upstream control in this regard and Centrelink has a wide range of effective downstream controls to further assure these outlays.
Department of Human Services
39. The Secretary of the Department of Human Services provided the following response to the proposed audit:
The Department of Human Services (DHS) welcomes the report by the ANAO and acknowledges the importance of Proof of Identity (POI), particularly in the context of the development of the proposed Access Card. The audit will enable DHS and Centrelink to incorporate the relevant learnings in the development of POI verification mechanisms for the Access Card.
The planned introduction of an access card involves changing how people who apply and register for an access card will establish their identity. This will include a robust registration process and verification of key POI documents directly with the source agency.
The ANAO report notes significant improvement to POI arrangements since the introduction of the current tiered POI model in 2001 and the three recommendations, aimed at strengthening the operation of the existing tiered POI model, present some constructive findings.
DHS considers that careful attention to design of the POI aspect of the Access Card implementation and implementation of the Centrelink fraud and compliance measures that are underway will address the recommendations presented in the audit.
Department of Families, Community Services and Indigenous Affairs
40. The Secretary of FaCSIA provided the following response to a relevant extract of the proposed audit report:
The Australian National Audit Office's (ANAO) findings at paragraphs 2.21 and 2.22 reinforce the need for the Department of Families, Community Services and Indigenous Affairs (FaCSIA) to have in place quality project development and implementation processes that include quality record keeping of project documentation. FaCSIA's Strategic Framework 2006–09 includes Core Business Processes that ensure these processes are in place across the department. Adherence to the Core Business Processes is mandatory for all FaCSIA projects.
To further improve implementation and governance of projects, the FaCSIA and Centrelink Business Partnership Agreement 2006–2010 requires that all projects Centrelink implement on behalf of FaCSIA are jointly planned and monitored. This agreement defines FaCSIA's requirements of Centrelink in the effective delivery of projects and services and is being used for the implementation of the new measures from the 2007–08 Budget.
The development and implementation of the tiered POI model occurred under a framework that is different to current arrangements. I am confident the current arrangements will help to ensure that the shortcomings identified in the issues paper are not repeated.
41. The proposed introduction of the health benefits, veterans' and social services access card (Access Card)22 will involve revised processes which will replace the current POI procedures in Centrelink, as well as those POI procedures currently in place in other relevant Australian Government agencies. However, the Access Card is not currently planned to be a mandatory requirement for accessing Centrelink payments and services until up to three and a half years following the passage of the relevant legislation through the Parliament.23 Accordingly, it remains important that Centrelink effectively implements the current tiered POI model.
42. The ANAO made three recommendations aimed at strengthening the operation, and therefore effectiveness of, Centrelink's existing tiered POI model. Centrelink agreed with all three recommendations.
1 Centrelink, Annual Report 2005–06 [Internet]. Centrelink, Canberra, 2006, pp. 8–9, available from <http://www.centrelink.gov.au> [accessed 19 March 2007], and Department of Human Services, Portfolio Budget Statements 2005–06 [Internet]. DHS, Canberra, 2006, pp. 65–66, available from <http://www.dhs.gov.au> [accessed 13 April 2007].
2 Payments made under the A New Tax System (Family Assistance) (Administration) Act 1999 such as Family Tax Benefit Part A and Part B payments and Child Care Benefit do not require POI to be provided.
3 See Table 1.1 in Chapter 1 for a list of specific Centrelink payments and their POI requirements.
4 Some customers at risk of not being able to meet the requirements of the model are afforded the Alternative POI arrangement (see paragraph 2.55–2.58 for an Alternative POI discussion).
5 Until recently it has been usual for visas to be in an overseas passport. However visas are increasingly being provided electronically.
6 If the CSA is convinced the customer is who they claim to be, a CSA may grant a customer a payment using ‘Alternative POI' if a customer has genuine difficulty in providing adequate identity documents within 28 days (see paragraph 2.56).
7 These 4.3 million customers were in-scope for the ANAO's sample. The scope of a survey is the population of units about which conclusions need to be drawn—the ‘in-scope' population. Before the start of the sampling phase the in-scope population was determined by the ANAO to be all current Centrelink customers who had been receiving one or more tier 1, 2 or 3 payments (see Figure 1) for more than ten weeks. (Centrelink informed the ANAO that it can take up to ten weeks for a customer's paper file to be created after the customer begins receiving a benefit.) During the sampling phase certain subpopulations were identified that were out of scope (See Chapter 3). Therefore, the final in-scope population calculated by the Australian Bureau of Statistics Statistical Consultancy Unit (ABS SCU) was 4 263 934 current customer records.
8 Predecessor agencies include the former Department of Social Security (established in 1972) and the former Department of Social Services (established in 1939). Centrelink has been the main agency responsible for delivering social security payments on behalf of the Australian Government since 1997.
9 The first of four pillars of payment correctness included in the Business Assurance Framework between Centrelink and FaCSIA is ‘right person' (see paragraphs 2.26 and 2.27 for details of the framework). The four pillars are:
- right person (established by POI);
- right programme;
- right rate; and
- right date.
10 At-risk customers might include people who are: released prisoners; homeless people; people who are institutionalised; refugees; Indigenous people; people with severe disabilities; members of religious orders; and, some migrants to Australia.
11 The Office of Access Card, within DHS, is responsible for introducing the health benefits, veterans' and social services access card and overseeing the development of POI requirements and processes for card registration.
12 Sample loss refers to units that have been selected in the sample but for which information cannot be obtained. There were 17 files that the sampling team was unable to assess during the audit. The remainder of the sample loss (25 records) came from three different subpopulations that were discovered during the sampling phase. These subpopulations include:
- seven records in total that were out of scope because their only payment with assessable POI was granted less than ten weeks before the extract was run (two of these records are part of the files that were not assessed by the sampling team);
- 13 records were out of scope because they were records for customers in receipt of payment pursuant to an International Social Security Agreement. The responsibility for collection of POI for these customers lies with the partner country rather than with Centrelink; and
- seven records identified that had information stored on microfische that could not be accessed during the audit period. This meant that the POI on these records could not be assessed as either sufficient or insufficient.
13 That is those customers who are required to provide POI before they are granted a payment and who were in-scope for the ANAO's sample (see footnote 7 and Chapter 3).
14 An investigation of identity fraud matters was outside the objective and scope of this audit and, in the course of reviewing the records of the 1 158 Centrelink customers included in the ANAO's sample, the ANAO did not come across evidence of identity fraud by customers or of internal fraud by CSAs in relation to these records.
15 The results of the ANAO's analysis indicate that customers in this category were the least likely to have insufficient POI on their paper file (see Table 3.3, paragraph 3.45).
16 The payments were predominantly Family Assistance Office payments. For example, Family Tax Benefit Part A and Part B payments, Child Care Benefit and Maternity Payment.
17 See footnote 122 for an explanation for the exclusion of 82 customer records in the ANAO's sample of
1158 customer records from this analysis.
18 QOL is a checking system that monitors the quality of CSAs' work. New CSAs are required to have 100 per cent of their work checked through QOL and proficient CSAs have five per cent of their work QOL checked. The QOL checker, as they are known, has available to them the customer's photocopied POI that can be physically checked against the CSA's document coding work in ISIS.
19 ISIS is a suite of systems for recording customer claims, and processing Centrelink payments.
20 This finding is consistent with Recommendation No.1 from ANAO Audit Report No.29 2005–06
Integrity of Electronic Customer Records, which recommended that Centrelink improve the usefulness and effectiveness of its data integrity reporting system, p. 24.
21 A workflow tool developed by Centrelink that aims to standardise and automate processes used by the agency's officers to enter customer data into the Centrelink online systems.
22 Currently planned to be progressively introduced within 18 months following the passage of the relevant legislation through the Parliament.
23 Advice from the Office of Access Card to the ANAO in September 2007.